US Banks: Training the next generation of phishing victims
Nick Owen
nowen at wikidsystems.com
Wed Oct 12 08:28:56 EDT 2005
Peter Gutmann wrote:
>
> Can anyone who knows Javascript better than I do figure out what the mess of
> script on those pages is doing? It looks like it's taking the username and
> password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so
> it's a bit hard to follow what's going where.
>
Why have the log on your homepage at all? Why not just a link to the
https login??? If the goal is to not have SSL overhead on the homepage,
don't. Or is there some extra overhead for login processing that I
don't know about? Is there some user dissatisfaction with an extra
click to login?
I suppose if you really wanted non-SSL logins, you could use a one-time
passcodes system with variable length passcodes to prevent race attacks.
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list